New European Union rules on artificial intelligence come into force. Many Italian companies are not yet compliant: in addition to sanctions, the risk of “Shadow AI” and the leak of confidential data is growing. How to meet the August deadline
The countdown is winding down. From the August 2 most of the regulations come into forceAI Actthe first law in the world entirely dedicated to artificial intelligence, desired by the European Union to govern the development and use of these technologies. From that date, checks will begin on companies and those who do not comply risk very heavy fines. And with a few weeks to go before the deadline, the majority of Italian companies are not ready according to an analysis by AIDAPT (Italian startup specializing in Agentic AI). MLess than 20% of companies have started training courses on artificial intelligence for their employees, an obligation that has actually already been operational since February 2025. A delay that exposes companies not only to the risk of fines, but also to a much more concrete and daily danger: the uncontrolled dissemination of confidential data.
What changes from August 2: obligations and sanctions of the AI Act
The AI Act is not a last-minute innovation: the European regulation has gradually come into force. From 2 February 2025, the obligation to guarantee all employees an adequate level of artificial intelligence literacy is already active. In practice, theoretical courses are not enough: workers must be able to recognize which sensitive data should never be inserted into AI systems, verify the answers obtained from the tools, especially on issues relevant to the company or customers, and avoid delegating decisions to machines that remain a human responsibility. The most delicate phase begins on August 2nd: the checks. Non-compliant companies are at risk fines of up to 35 million euros or 7% of annual global turnover for the most serious violationswith reduced amounts for SMEs and startups. For other non-compliances the thresholds are lower, but still remain significant.
The real risk is called “Shadow AI”
And beyond fines, the most insidious danger for Italian companies concerns everyday life in offices. Is called Shadow AI: The phenomenon whereby employees use artificial intelligence tools on their own initiative, without any approval from the company. The numbers tell a widespread situation: according to sector data, the 27% of employees adopt AI tools without company permission. Chatbots, virtual assistants, artificial intelligence functions integrated into commonly used software: all this, if not managed, becomes an open door to possible leaks of confidential information, customer data, contracts, commercial strategies. According to AIDAPT analysis 65% of companies have not yet provided any internal directives on the use of artificial intelligence to their employees. A fact which, combined with poor training, paints a picture in which many Italian companies today find themselves far from the compliance required by the AI Act.
Five steps to take for AI Act compliance from August 2nd
How to get in order in time? According to AIDAPT experts, the first step is to map all the AI tools already in use in the company, including those adopted by employees without authorization: that is precisely where the largest part of the risk is concentrated, and the inventory must be updated every time something changes. The second step is to replace personal accounts with corporate licenses, so as to have clear conditions of use and transparent control over where the entered data ends up. Staff training followsthe most urgent requirement because it has already been mandatory since February 2025: short courses, targeted at the different roles and documented, are enough, so as to be able to demonstrate them in the event of an inspection. It’s useful then put internal regulations in writing short and clear, which establishes which tools are allowed, which data must never leave the company and who approves new uses. Finally, for each tool adopted it must be verified whether the data remains in the European Union and whether it can be used to train AI models: it is the point where the AI Act intersects with the GDPR, and it is also the most delicate aspect when customer or employee data is at stake.



